The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

The Pegasus attack starts with a text (SMS) phishing attack using spoofed sender numbers and anonymised domains to deliver malware to the target’s iPhone.

This is the first active mobile threat that takes complete control of an Apple device with just one-click, the researchers said.

“This discovery is further proof that mobile platforms are fertile ground for gathering sensitive information from target victims, and well-resourced threat actors are regularly exploiting that mobile environment,” said Mike Murray, vice-president of security research and response at Lookout.

A key lesson from the Trident attack for enterprise CISOs and CIOs is that “mobile devices and enterprise intellectual property are being targeted by sophisticated corporate espionage,” he wrote in a blog post.

Trident used in Pegasus spyware

According to the researchers, Trident is used by Israeli security startup called the NSO Group in its mobile spyware product, Pegasus.

The company, which appears to have no website, is thought to rely on exploiting security vulnerabilities in consumer software to help law enforcement and spies, but also claims it can help monitor smartphones of people targeted by government agencies, according to the Wall Street Journal.

The Pegasus spyware is extremely sophisticated and modular to allow for customisation, and uses strong encryption to evade detection.

Citizen Lab recently caught the first in the wild sample of the iOS version of Pegasus, describing in a report how a government targeted an internationally recognised human rights defender, Ahmed Mansoor, with Trident.

However, the researchers said they are aware that the NSO Group advertises similar products for Android and Blackberry to spy on victims.

According to the researchers, Pegasus is the most sophisticated attack seen on any endpoint because it takes advantage of how integrated mobile devices are in people’s lives and the combination of features only available on mobile: always connected (Wi-Fi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords and contact lists.

The three vulnerabilities that make up Trident and have been patched by Apple in the 9.3.5 security update to iOS are:

A vulnerability in the Safari WebKit JavaScript engine that allows the attacker to compromise the device when the user clicks on a link (CVE-2016-4654).

A kernel base mapping vulnerability that leaks information that enables attackers to calculate the kernel’s location in memory. (CVE-2016-4655)

A kernel-level vulnerability that allows attackers to jailbreak the device and installs surveillance software.

What makes this specific type of attack particularly sophisticated is in the number of vulnerabilities that had to be chained to make it a seamless attack requiring very little user interaction, said Guillaume Ross, senior security consultant at Rapid7.

“This attack basically exploits an issue in Safari, exploits the kernel to effectively jailbreak the phone and then persists on to the device,” he said.

“Jailbreak software is regularly released publicly and exploits such vulnerabilities, but with a major difference: this software exploits the iOS device locally, over USB or such an interface, and not simply by clicking a link, though that has also occurred in the past.”

Lookout researchers are urging all iOS users, individuals and businesses to update to the latest version of the mobile operating system as soon as possible.

Apple said in a statement: “We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy